From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.cybernetics.com ([173.71.130.66]:23364 "EHLO
	mail.cybernetics.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752728AbcBVPgZ (ORCPT
	<rfc822;stable@vger.kernel.org>); Mon, 22 Feb 2016 10:36:25 -0500
Subject: Re: USB oops regression caused by -stable patch
To: "Du, Changbin" <changbin.du@intel.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
References: <56C7293D.2040105@cybernetics.com>
 <20160220222119.GC30358@kroah.com>
 <0C18FE92A7765D4EB9EE5D38D86A563A05CC10F1@SHSMSX103.ccr.corp.intel.com>
Cc: "linux-usb@vger.kernel.org" <linux-usb@vger.kernel.org>,
	stable <stable@vger.kernel.org>
From: Tony Battersby <tonyb@cybernetics.com>
Message-ID: <56CB2AF8.2090806@cybernetics.com>
Date: Mon, 22 Feb 2016 10:36:24 -0500
MIME-Version: 1.0
In-Reply-To: <0C18FE92A7765D4EB9EE5D38D86A563A05CC10F1@SHSMSX103.ccr.corp.intel.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

Thanks, that fixes it.  Tested on 4.5.0-rc5 and 3.18.27.  Just to be
clear, I tested it *without* reverting d8f00cd685f5.  So this patch is
in addition to d8f00cd685f5 instead of replacing it.

Tested-by: Tony Battersby <tonyb@cybernetics.com>

On 02/21/2016 09:27 PM, Du, Changbin wrote:
> Thanks for reporting, Tony. It was remiss of me.
> There is another BOS free operation in label re_enumerate. This cause a double-free of BOS.
> USB2 doesn't have BOS desc, so you cannot reproduce it.
>
> I am on a travel. It is appreciated if you can help try below fix.
>
> Hi, Greg, I will commit a final patch once returned from travel.
>
> --- a/drivers/usb/core/hub.c
> +++ b/drivers/usb/core/hub.c
> @@ -5501,8 +5501,10 @@ done:
>         return 0;
>  
>  re_enumerate:
> -       usb_release_bos_descriptor(udev);
> -       udev->bos = bos;
> +       if (udev->bos != bos) {
> +               usb_release_bos_descriptor(udev);
> +               udev->bos = bos;
> +       }
>
> Best Regards,
> Du, Changbin
>
>> On Fri, Feb 19, 2016 at 09:39:57AM -0500, Tony Battersby wrote:
>>> This upstream commit is causing an oops:
>>> d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device")
>>>
>>> This patch has already been included in several -stable kernels.  Here
>>> are the affected kernels:
>>> 4.5.0-rc4 (current git)
>>> 4.4.2
>>> 4.3.6 (currently in review)
>>> 4.1.18
>>> 3.18.27
>>> 3.14.61
>>>
>>> How to reproduce the problem:
>>> Boot kernel with slub debugging enabled (otherwise memory corruption
>>> will cause random oopses later instead of immediately)
>>> Plug in USB 3.0 disk to xhci USB 3.0 port
>>> dd if=/dev/sdc of=/dev/null bs=65536
>>> (where /dev/sdc is the USB 3.0 disk)
>>> Unplug USB cable while dd is still going
>>> Oops is immediate:
>> Not good, thanks for letting us know.  I've now reverted this and will
>> get the fix into 4.5-rc6.
>>
>> greg k-h